Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
Subscribe to MobycastiTunes | Google Play | Soundcloud | Stitcher |Â Spotify
Show Notes
Jon Christensen and Chris Hickman of Kelsus and Rich Staats of Secret Stache continue their conversation on building RESTful APIs, specifically focusing on authentication and error handling. REST stands for Representational State of Transfer.
Some of the highlights of the show include:
- Importance of authentication with APIs to identify callers and their authorized permissions
- Stateless vs. stateful communication channels between entities
- Simplest authentication technique is to use basic HTTP metadata in headers; you must send it over an encrypted connection
- Exchanging short-lived tokens negotiated based upon userâs credentials is another option
- Authentication Advantages: Fewer username/password requests, ability to deny tokens
- Popular identity management services that reduce level of complexity and handle undifferentiated heavy lifting include Auth0, OneLogin, Okta, and Cognito
- Understand contract between clients and backend to avoid making things harder for application developers using the API
- Levels of Error Codes
- Public vs. private API information returned about callers may present security risks; perform error sanitizationâââdonât air your dirty laundry
- Hypermedia As The Engine Of Application State (HATEOAS): Caller starts with small number of well-known endpoints, then API becomes discoverable based on responses
- Holy Grail of HATEOAS: Offers possibility to launch new features and increase API functionality without any client change
- Apiary, Swagger, and Kong are tools that can be used to develop an API
Transcript
Rich: In episode 49 of Mobycast, we continue our conversation on building RESTful APIs. In particular, we discuss authentication and error handling. Welcome to Mobycast, a weekly conversation about containerization, Docker, and modern software deployment. Letâs jump right in.
Jon: Hello, welcome. Welcome, Chris and welcome back, Rich. Itâs another episode of Mobycast.
Rich: Hey.
Chris: Hey guys.
Jon: Good the hear your voices. This week, weâll jump right in because weâre doing a part two of the series on REST, REST-faced microservices, and how to build clean and beautiful microservices with the RESTÂ APIs.
Last week, we just touch a lot of basics. Itâs a couple of episodes that are really learning-focused to help make sure that we build stuff as software developers thatâs useful for other people, easy to maintain, easy to understand, and easy to hand off to other developers.
Last week, we just talked about what it is, a lot of basics, the different methods, how it works, and how the naming scheme works. We talked a little bit about the relationship between REST and the HTTP protocol, how REST APIs are essentially broadening the HTTP protocol to things beyond just web pages. [âŠ] heads around what this thing is and gave examples on what to do and what not to do.
My favorite thing from last week was we donât do something like /order/neworder as our REST endpoint. We just use /orders and we do a post to it. Thatâs well-understood, but as well-understood as it is, at Kelsus we definitely see thatâs not always being followed. I would argue that there are maybe times to break out of REST when itâs just feeling like youâre turning yourself into a pretzel to keep the exact RESTful ideas in mind and you just need something one-off or special, but we can talk about that a little later.
This week, weâre going to get into a few things. I think this is a little more hardcore so donât think of this as drier but more hardcore. Weâre going to talk about authentication, error handling, and something that I canât pronounce because Iâm not really familiar with it. Chris will say that when we get to it. And then maybe some helpful tools when developing your APIs. Letâs jump in and let somebody besides me talk. Letâs talk about authentication, Chris.
Chris: Yeah. Obviously, authentication is pretty important with an API. You may have some APIs that are public and open to the world and you donât really need any identity associated with that. But I think for the most part, those are pretty few and far in between. So, almost always, you have a case where when someoneâs calling your API, you need to be able to identify who they are to do the authentication, and then thereâs also the caller, the authorization. Once I know who they are, do they actually have permissions to do what it is that theyâre asking to do? So, very fundamental parts of building an API.
When youâre designing a RESTful API, it poses this challenge. This is like, âWell, how do you do this?â especially given that for the most part, itâs a stateless communication mechanism. You have clients that are making calls or sending their API calls to you over HTTP/HTTPS, the serverâs receiving it, and then returns back a response. So itâs this request-response pattern and each one of those things is essentially atomic. How do you manage things like sessions or set-up this identity and being able to know who they are and they can do another authentication or authorization? Pretty fundamental.
Jon: You just said something, though, that I just need to dig into a little bit because I hear this thrown around a lot and I just want to make sure that we know what that means. You just said âstateless.â A lot of application servers really do focus on being stateless so your microservices are not keeping track of what your users are doing or the overall state of the application. But itâs a bit nuanced and I just want to point out that the overall application is absolutely stateful. You as the user, youâre looking at a client thatâs different as you do different things so that state of the client is changing. Thatâs stateful. And then, the thing in the server, the back-end, letâs just call this whole thing the back-end, itâs totally stateful, too. As you write that new blog post or as you update your status in that social media app, youâre changing the state of the world thatâs known about you in the back-end.
The only thatâs stateless is just the thing thatâs running the microservice and listening for a request and returning a response. Thatâs the part thatâs stateless. Is that fair to say, Chris?
Chris: Yeah. Typically, when we talk about stateful versus stateless, weâre talking about the communication channel between two entities and whether or not itâs stateful or stateless. As a system, absolutely thereâs always a state. Itâs towards somewhere, but it becomes just a point of distinction of like, in this particular part of the system between these two entities, do they have a stateful relationship or is it a stateless relationship? So, this passing of request and getting a response as backing that particular relationship, if you will, is stateless.
Jon: Right. It has no idea what the last thing you asked for was and itâs not going to predict whatâs the next thing youâre going to ask for. It just doesnât keep track.
Chris: Right.
Jon: Cool. Continuing on in our authentication world.
Chris: Yeah, so authentication. We have to figure out identity of the caller and how do we do that. Thereâs a bunch of techniques out there. One of the most straightforward, easiest ways to implement is just use basic HTTP authentication. Something like this is super easy to implement.
Your caller has an identity based on username and password. Whenever they send a request to your service, that username and password gets Base64-encoded and it gets put into the HTTP request header. With an HTTP call, there is piece of that. Thereâs headers on it so itâs almost like the metadata about the packet of data that youâre sending and then the actual packet itself. In that metadata, in the headers is for you to store this authentication information, username and password thatâs Base64-encoded, thatâs received over on the server side, and it can then Base64-unencode to figure out this is the username and password and then authenticated against a particular identity store that you may have.
So, really simple to implement. The client OS just knows its username and password, sends it over in a header, server receives it, looks it up in the database, and replies. It can either allow that request to continue or return back an error saying youâre not allowed. It is simple. Itâs also not secure at all. Base64 is not encryption at all. Itâs just a way of describing binary data in a text format. Super easy to see what that information is.
If you do use basic authentication with you APIs, then you absolutely have to send that over TLS. You have to send it over an encrypted connection. Basic authentication over non-encrypted traffic is a no-no. Itâs a big deal killer. Itâs like, âPut down your pens, put down your keyboards, youâre not allowed to type anymore. Youâre done. Game over.â
Thatâs basic authentication. Itâs really very few applications with uses anymore. Itâs just so simple, rudimentary, kind of legacy, and thereâs really no reason for doing it other than just pure simplicity.
The leads into other methods that are based around essentially exchanging short-lived tokens that are negotiated based upon the true credentials of the user. Think of this as I have a username and password, Iâm going to go authenticate with some service or entity, itâs going to validate that, and in return itâs going to give me back a short-lived token thatâs unique to me, that identifies me as being that particular person. Now, I can send that token as part of my authentication request. Then the back-end can then say, âGiven this token, who are they from that?â and then decide whether or not to allow access to that request.
Jon: And the two advantages I think that you get out of this token-based authentication are one, just fewer requests containing username and password information or just reducing the overall surface area of request that have that username and password information in it. The other one is to deny a token or deauthorize a token without making somebody change their username and password.
Chris: Yes indeed. Thereâs various schemes that you basically use this type of token. Principals that you have things like OAuth, which is a spec for forging on with authentication. The O stands for Open. OAuth basically defines that dance of, given my credentials, some other service is the identity provider or identity store that exchanges those credentials for one of these short-lived tokens. Based upon that now it can make request.
OAuth has various different flavors. Thereâs the 1.x generation of OAuth and OAuth 2.0. Obviously, OAuth 2.0 is newer though thereâs actually not as many implementations of that. Itâs definitely more complicated. A lot of common, bigger applications that use OAuth for authentication are using either the 1.x version or some flavor of it, maybe specific to their implementation.
Jon: Thatâs what I was going to say, Chris. I thought that O was for the, âOh, and not consistent across implementations.â
Chris: Yeah and at the end of the day, itâs open for interpretation, if you will, and itâs up to how folks want to do it. Facebook authentication has its way of doing it versus Google versus any other major APIs, whatever APIs. Thereâs an entire API economy, many different APIs out there that you can call and they all implement authentication and theyâre all slightly different. You have to just look at the details and what is it they are expecting. Thatâs OAuth.
One of the challenges with OAuth is, do you have to implement your own OAuth server? Thatâs where there are off-the-shelf systems that you can use for that or hosted versions, but it does have some complexity. To hide some of that complexity, there are other services that come very popular for doing identity management. These are services like Auth0, OneLogin, Okta. Thereâs many of these.
Jon: We talked about Cognito a couple of weeks ago.
Chris: Yeah, sure. Cognito, absolutely. These are services really to take away some of that complexity. It makes them very easy to get going with it. They end up either they host the identity store or they federate to your identity store thatâs maybe in another server or another database, but theyâre responsible for doing that handshake of, âGiven my credentials, give me back a short-lived token that uniquely identifies me, guarantees thatâs me, and now I can make my calls that way.â
Those are typically represented as JWTs, stands for JSON Web Token. Itâs just a standard format for these tokens of how to pack them up. They end up literally being a JSON document with some well-defined schema to identify who the person is. Then they are encrypted with a hash to make sure that theyâre secure.
Jon: Right. Just helps bring a little more consistency to the whole OAuth dance statistic.
Chris: It just takes the complexity out of the interpretation, if you will, so itâs much easier just to use one of the least common identities towards services for authentication and identification of users. Thatâs why they are so popular. Itâs one of those things where your API is not going to win because of how you implemented OAuth. Itâs like what AWS loves to call undifferentiated heavy lifting. Going with someone else that does that for you makes a lot of sense here.
Jon: Great. We could talk so much more about authentication but letâs move on into error handling, one of the things thatâs even less consistent than authentication across most APIs I look at.
Chris: Yeah. This is another big area that if you donât go in with some kind of overriding principles, it can get really messy very quickly and make life very frustrating for your application developers that are using your API. Kind of understanding whatâs the contract between the clients and the back-end. What is that? What are those responses look like? How do I indicate a successful response versus an unsuccessful response? And the reasons why, perhaps, things went wrong.
This is where, again, RESTful APIs are built on top of HTTP. The HTTP protocol already has well-known status codes to indicate whether things succeeded or failed. It has different categories actually for success and for failure codes. Most people are definitely familiar with this, like 200 is one of the most popular error codes right now. It just means OK. It was successful. We have a 201 is another successful response but that means something was actually created. Itâs a little bit of extra information there, different, just to let you know that something was actually done. In general, the 200 through 299, if you will, anything in the 200s, those represent success conditions.
The 300 level error codes, those are mostly for redirect commands. Itâs not so much that something succeeded or failed. Itâs just that, âHey, Iâm going point you in a different direction because this is not where you should be looking for this thing. Itâs actually should be over here.â
Then you have the 400 level codes. There are for errors that happened. The 400 level errors indicate you caller did something wrong probably. This is not something thatâs wrong on the back-end. Itâs actually something wrong with you. You sent a request that was malformed or was unexpected, it was invalid.
Jon: Or it was something that wasnât there.
Chris: Right, exactly. And then you have the 500 level error codes. The 500 level error codes are, âHey, something went wrong when I try to fulfill your request. Thereâs something wrong on my side. It wasnât your fault, caller. It was my fault.â
Those are the general categories. They do become important because if you, as a caller, getting back a 400 level error code, then you know that it means that the caller screwed up. I need to change something probably with my request and then I can resubmit it to hopefully get a successful response. Versus if Iâm getting a 500 level code, I know that it wasnât me that screwed up. It was the back-end. So I can probably resubmit that request and it may then succeed at a later time.
Itâs important definitely to keep that contract in place with your API. Be very consistent with this of when you return 200 versus 400 versus 500. Then also be very aware of the various codes inside of each one of those ranges that makes sense. If youâre doing a GET, one of those safe item-potent operations and itâs returning back a resource representation, like itâs a 200, 200âs OK. If youâre doing a POST to create a new item in your resource collection, that should be a 201. 201 says, âYes, I created it successfully. I had a content in there, and it was successful.â If Iâm doing a DELETE and the response back from API implementation says thereâs nothing to return back other than a status code because youâve deleted it, Iâll return status code 204. Basically, 204 is success but empty body. Thereâs no content associated with it. Just understanding the basic common codes is important to do when your implementing your API.
Jon: Right, Chris. One of the most common things that Iâve seen in misusing status codes is like on the server side, you just return a 200 even though you didnât do what the request asked for and returning some sort of an error message through a 200 status code. I see that certainly commonly and it would be nicer if that was in the 400 range or 500 range. If some error really happened, just really let the client know.
I remember a specific thing with you. You and I werenât working together at Kelsus. I was working at Kelsus and you were working at a different company. We had to negotiate a work-around hack because a library that I was using just totally took such a left turn on any kind of error code, that I needed this error that youâre returning to be in the 200 range so that I didnât end up in this dark dungeon of error handling that the library provided. I needed to be in the happy place of the 200 and youâre like, âNo, I canât do that.â We eventually had to do it. It had to work. So, if youâre writing libraries, make sure that the clients are also able to realize that not all error codes are necessarily bad. Sometimes, there are error codes that should be easily manageable inside the client.
Chris: I think this gets into maybe the 400 level codes as well. Thereâs a bunch of things that could cause a client request to not be fulfilled under back-end. Very typical one like you mentioned was the content is not there. I requested a particular entity by its resource ID and it just doesnât exist because maybe some other client actually deleted it or someone else deleted it. I may get back a 404 Not Found where everyone knows this from web browsers. You typed in an address in your browser bar, for an address that doesnât exist on a particular site, youâre going to get a 404 error. The same thing that in your API should be doing something like that.
In general, you have the 400 error code for Bad Request. Something was formatted incorrectly about your request and you return back a 400. You have another one thatâs pretty common would be 409, which represents conflict. This is a way for the server to let the client know that, âHey, you tried to do something thatâs inconsistent with what the state is on the back-end, so you may be out-of-sync caller.â You can use that information to now correct yourself.
Jon: [âŠ] demonstrated that bear trap memory of yours. I swear that is what it was.
Chris: Iâm sure it was. I believe what it was is the application was doing something simple like you have a feed of items and those items you want to be able to mark them as either some of them are favorites versus not favorites. You can have multiple apps open doing this. One of the apps I can mark one as a favorite but on the other app, it still thinks that itâs not a favorite, so I can tap favorite on that. It sends, âGo mark this as favorite,â to the server. So the server looks at it and says, âYouâre trying to mark the status as favorite, but it already exist as favorite. You just sent me something that doesnât make sense. I think that probably the state on you is not up-to-date so Iâm going to send back an error code letting you know that I didnât mark this as favorite because it already is. That represents a conflict, so Iâm going to return back a 409 error code.â That is a hint to you as a client to now go and refresh your state so you can get it to what it really is. Youâre just out-of-state.
Itâs really useful when clients cache information for performance reasons, obviously. This is the way of letting you know that your cache now needs to be invalidated. I think this was the situation that we ran into.
Jon: I do. I think youâre right. Letâs talk about one other 400 type issue because I think it comes up a lot. I donât know the right answer for this but basically if you make a request to an API and youâve got something a little wrong with it, maybe every first letter is supposed to be capitalized or thereâs a part of a JSON string that needs to be a string and not a JSON object. Itâs so nice when the API tells you what you did wrong. Itâs the difference between a super productive interface and one that requires lots of bloody fingers on the keyboard for days and days, trying to figure out what wrong and why what are you sending to the API isnât working.
We didnât have time to really document out the error responses and make them easy to understand. That can happen and I get that. But Iâve heard some arguments about not doing this on public APIs or on private APIs that shouldnât be available to the public because it could present a security risk, because it could let somebody reverse engineer the API by sending too much information about what youâre giving it that itâs not expecting. Have you heard this too, Chris?
Chris: Yeah. Again, this is a wide open area and itâs so specific to your API and the situation, but you do want to take into account things like security and just how much information you are giving up. You want to return back information thatâs going to be helpful to the caller but without divulging perhaps more information than they should have.
One of the really common scenarios for this is like it gets that have logins. Iâm logging in username and password, then I get a response back of whether or not that was successful. If you return back information like, âWell, the username that you gave was correct but the password is wrong,â and return back an error code, youâre getting a 401, youâre not authorized, so you get a 401 error code, and then the details of the error Iâll tell you, âOh, your password is incorrect.â
By doing that, youâve given me some information that, âOh, itâs a valid username. Itâs a valid email address. Thatâs information I didnât have before. Now that I know itâs a valid account, I can now use that information to not just figure out what the password is for that,â versus if you return back something just more generic like, âEither your username or your password was incorrect,â youâre no divulging that additional information.
I think thatâs one of those examples. Other ones get more maybe in the 500 level error codes where something has gone wrong in the back-end. Maybe a database is down or something like that, you try to connect to your PostgreSQL database server and it failed. Or worse, maybe itâs been misconfigured and the password for the connection string is wrong or something like that. that may throw an error on the back-end and the error message that your error assets maybe it does have a string saying, âHey, the connection failed because the credentials and for debugging reasons or whatever, it includes the connection string that he used.â If you then just return that verbatim in your error response, thatâs a huge no-no. You just divulged your database connection string to any caller. I did that. Thatâs definitely a case where you need to sanitize your errors.
Error sanitization is super important for the 500 level codes, almost always. Youâll never want to give back the reasons why it went bad. On the back-end to the caller, you just need to let them know it did go back because again, thereâs nothing that they can do. They didnât cause the database connection problem. Thatâs not like they donât need an information they canât do anything with that information other than bad stuff, so donât return that.
You want to keep that in mind for the 400 level stuff as well. You have to consider it on a case-by-case basis. Be careful. You donât need to return all this information, but definitely if they sent you a bad request, then it was because this particular query parameter was out-of-range. You should give them the information that lets them know that was out-of-range. That was the reason that that request was bad.
Jon: I get away to remember not to air your dirty laundry in the 500 level errors that you return to your clients. Itâs just that, thatâs a great way to take the express elevator to the number one entry on Hacker News. People love to find somebody air their dirty laundry in the 500 API response and the post about it. Everybody loves to pile on and talk about how stupid that person was for doing that.
Chris: Yeah. Such a bad way to rise to the top of the ranks. It happens. We would all like to be popular there but thatâs the wrong way. Donât do it that way.
I think that covers, in general, error handling and 400 versus 500 level errors. I think maybe one slight nuance thatâs important is, in this world now of microservices where back-end implementations are making upstream calls to other services, itâs interesting and the back-end service becomes a client of some other service. Now when itâs making a call to that dependent microservice and it gets back a 400 error, chances are that 400 error now represents a 500 error to the original caller.
You canât just always say, âOh, whenever itâs a 400 level error, itâs this and not a big deal versus a 500 level error. You have to ask yourself, âWhoâs the caller and what does that mean?â If my API implementation is making a malformed request to a dependent service, that probably represents a bug in my back-end code and I shouldnât be returning a 400 back to my client because my client thinks itâs their fault. It wasnât their fault. It was actually the serverâs fault. So itâs really important to do that translation right. That should become a 500 level error to the originating client.
Jon: Right. This put me in a very common architecture pattern in AWS these days recently where I was getting a 500 error back from the API gateway, a 502, and the 502 was really because my Lambda function that the API gateway was calling was not returning what that API gateway expected.
Chris: Yup, exactly. Thereâs definitely some very common conventions and some best practices you can do, but you always have to consider whoâs the caller, whoâs the provider here. Just keep that in mind and know that you need to do that translation as you walk through the chain of calls throughout your system.
Jon: Great. I think we have a few more minutes. I promised everybody that we would get to at least the one where I couldnât pronounce it because I donât know what it is. It seems like HateOps or HateOS or something. I donât know what this is. What is that?
Chris: Full disclosure. Iâm not sure I really heard anyone pronounce it other than me, so I cannot guarantee you that this is the way that other people pronounce it. I always would call it HATEOAS. Itâs an acronym for Hypermedia As The Engine Of Application State. An easier way to describe this is basically just Hypermedia. Itâs Hypermedia APIs. Really what it means is itâs an API style where you have just a very small number of well-known endpoints for callers to start with, and then after that, the rest of the API becomes discoverable by the responses that come from that.
You can think of it almost like the Choose Your Own Adventure books. This may not be the perfect analogy but you start with one page or one entry point, you get back the response, then the response basically tells you what are your next choices you could do. There maybe some information there that says like, âOh, if you want to go and fetch this resource, here is the way to do it. If you want to update this resource, hereâs the way you do it. If you want to deleteâŠâ
Jon: I get it. Letâs make it concrete. âGive me all the orders. I know how to get all the orders. Okay, here they are and with each one, hereâs the URL to get that specific one. Hereâs also another one if you want to make a new one. Hereâs one that you can call to make a new one. Also, with each one here,â like you said, âhereâs how you delete an order.â
Chris: Right. Thatâs what these Hypermedia APIs are. Really, the Holy Grail here is something that is completely automated. Youâre basically automating the consumption of the API through this data-driven way of interacting with the back-end. In principle, itâs something thatâs very appealing and very powerful. In practice, it ends up becoming not nearly as magical. The promise is that the clients donât really need to know anything other than those well-known endpoints. They start off with some path, they make the call, and they get all the information they need back in that payload that presents them all the various options they can do next and then to go from there.
By the way, this is all based upon again, the web. This is the way the web works. Think of it as Google. You just go to Google and then you type in your search, youâre presented back with a bunch of different links. Then you click on a link and what does that do? It takes you to another page and there you get another bunch of links. Then you can decide what to do there when you click a link. Thatâs Hypermedia. Itâs really taken that same idea and extend it to, this is how your APIÂ works.
Jon: The difference is the decision-making machine thatâs able to deal with that Hypermedia API in the example you gave is wetware. Itâs our brains. We know how to handle unexpected information and what to do about it. We can do that as people but no carrot can do that yet that Iâm aware of.
Chris: Not only that, but also the list of actions in that particular example is really limited. You can just choose a link. Really, the only thought processes is like, âWhat link do I wanna click next?â but the action is just click versus with a RESTful Hypermedia API where youâre saying, âOh, hereâs how you delete, hereâs how you update, hereâs how you get, and hereâs how you patch,â or whatever like that. What are the semantics of those actions?
Jon: âWhat presents that button for deleting and what happens when I do delete? What do I do with that response?â
Chris: Yes. Your client has to understand those semantics and it has to be able to recognize how to affect those actions based upon these Hypermedia links that are included in the responses. Thatâs where it gets really cloudy and murky, and some of that luster comes off of this data-driven API thing. All that said, I have built Hypermedia APIs and it worked pretty well.
Jon: Iâm still sort of torn about it because sometimes the work to do that for the client, to use the Hypermedia information that comes back, sometimes thatâs more overall work in a project than just being like, âOkay, call this whenever you want to delete.â Telling me outside of the program, like you and me, youâre the developer, Iâm the developer, you tell me with words to my human brain to do this instead of telling me through the code. Because then, I have to write code that knows how to do something with.
I guess it just really depends, like how much of your application really is common patterns to respond to unknown sets of things like, âWe donât know what the URL is going to be but every time you get this kind of resource, you know youâre going to do this with it.â Those such a situation, itâs like, âOh yeah, Hypermedia,â but in lots of other situations, it just feels like, âJust hard code the endpoint to see that, or not the entire endpoint but just the path.â
Chris: I should point out that one of the biggest reasons for wanting to use Hypermedia API is it does give the possibility of launching new features, increasing the functionality of your API without any client change. Thatâs the Holy Grail here. I think in certain situations this makes sense to try to go do this.
If you have a pretty simple application but you know you want to be able to extend to it and maybe add, it could be the crud on just new things. Itâs like you go from maybe orders to then also include shipments, sales, whatever it may be, other things. Maybe something like that lends itself well to something like this where you can come and keep it pretty discrete and the semantics of it, but you want to continue expanding the coverage of the types of resources that involves.
You donât have to make any updates to your clients. You can have a mobile app and you donât have to push any new updates to the store to be able to consume the new API because itâs all data-driven. Thatâs pretty attractive but again, you have to balance that out with like, âOkay, can I really cover the semantics of this adequately in that client to take advantage of that condition?â
Jon: Yeah. This is just such an important thing, making this decision whether to use Hypermedia or not because it doesnât pack the learning on the team, time to build stuff. I just want to point out that if your building something like an order system or a sales system, itâs more likely that the reactions to the various different types of resources in that system or objects in that system are going to be very specific to that thing youâre working on. So you handle an order entirely differently than you might handle an invoice.
Therefore, that kind of system might lend itself less to Hypermedia than for example a social media system where, âHey, there might be posts. I can share a map, I can share a video, I can share a photo, I can share a thought about myself or a little friendly widget that I draw on my phone. All different kinds of things I can share,â and theyâre all different objects, maybe in different tables in a database or something for whatever reason, so they have maybe different endpoints.
But at the end of the day, the application might be able to use a similar mechanism for displaying each one. âLet me just get the stuff that Iâm supposed to show to the user.â In that case, it could be really handy to do that because then I could just throw a new Hypermedia API at it and I just have the ability to add a VR video to my feed without changing the client.
Chris: Yeah, you bring up a good point. It doesnât have to be all-or-nothing. Your entire API doesnât have to be Hypermedia API. You can just use it for some parts of it that make a lot of sense. All that said, Hypermedia APIs are interesting but also the real-world practicality of implementing them and consuming them, not straightforward. Given that, Iâve done many APIs. Iâve been putting in there many APIs and of all those, really one was a Hypermedia API. So, take that for what itâs worth. It is a limited use case for it but itâs something thatâs good to know about and to be able to consider.
Jon: Weâre truly out of time but then weâre going to talk about tools for developing your API? Maybe we can just quickly say Apiaryâs pretty cool. Lets you do stuff, lets you define the API, lets you even abuse it a little bit just in a mock kind of way, and Swagger is the language for defining the API that you can use inside of Apiary or in other tools as well. I think that youâd want to quickly add to that?
Chris: Again, if you are building APIs, by all means, please do yourself a favor, go and use one of these tools. Thereâs so many of them out there. Theyâre all really good. Apiary, Swagger, Kong, they all allow you to basically define your API, provides nice documentation for it, they provide mocks for you so you can be up and running. Your clients can actually hit the API and get back responses without writing a single line of code. Itâs really a great way to just get going and to really focus on the actual development, the spec, the defining of the API. So, absolutely, definitely go use one of these tools when you go build APIs.
Jon: Very cool. Great conversation and thanks for putting this together, Rich, if youâre still there.
Rich: Yeah. Sorry itâs on mute. Rich is asleep. APIsâŠÂ APIsâŠ
Jon: Richâs company, Secret Stache, has been developing an API for us to use for our clients, construction-instruction services. Mostly, Rich was not asleep and was getting a little something out of this himself.
Rich: IÂ was.
Chris: Awesome.
Jon: All right, thanks so much, Chris and Rich. Talk to you guys next week.
Chris: All right. Thanks guys. See you. Bye.
Jon: Bye.
Rich: Later.
Well dear listener, you made it to the end. We appreciate your time and invite you to continue the conversation with us online. This episode, along with show notes and other valuable resources is available at mobycast.fm/49. If you have any questions or additional insights, we encourage you to leave us a comment there. Thank you and weâll see you again next week.
Building RESTful APIs (Authentication & Error Handling) was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.